MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e00ba7b865f84ff41de5217b89fb197f5559c137c48d6d84313252cd459f4b12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	e00ba7b865f84ff41de5217b89fb197f5559c137c48d6d84313252cd459f4b12
SHA3-384 hash:	77ac271977b0d776f0b48c20af18f93f2170a0f3c4eadba9a2a318c3729de408e49230be5d998fd923bcf3f8cd0f93b9
SHA1 hash:	2e5e6e9c29f6a423bc5edc073043cc88decb09c5
MD5 hash:	051d9f44fe304d758ec022a42702f1d1
humanhash:	spring-queen-harry-carbon
File name:	Interested items with pictures, specification & Quantity~PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	331'040 bytes
First seen:	2020-10-09 05:57:44 UTC
Last seen:	2020-10-09 07:09:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	6144:i1GMf/gnjdesM9ln46ISnSURNngLNtG9pImh3:i1GMfonxeYSSgngIh
Threatray	423 similar samples on MalwareBazaar
TLSH	4C64B7212BA9FC36D0B78FB5B4429504F576FD6A4DB2CD08C578129FC432E80BC697A6
Reporter	abuse_ch
Tags:	AgentTesla exe MailChannels

abuse_ch

Malspam distributing AgentTesla:

HELO: burlywood.elm.relay.mailchannels.net
Sending IP: 23.83.212.26
From: info@yunfengfoods.com
Subject: Inquiry for Quotation
Attachment: Interested items with pics, Spec Qty.gz (contains "Interested items with pictures, specification & Quantity~PDF.exe")

AgentTesla SMTP exfil server:
greenlandexportimport.com:587

AgentTesla SMTP exfil email address:
origin@vizvec.com

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/69392/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

DNS request

Sending a custom TCP request

Adding an access-denied ACE

Unauthorized injection to a recently created process

Creating a file

Creating a window

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/486247

Signature

Binary contains a suspicious time stamp

Connects to a pastebin service (likely for C&C)

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e00ba7b865f84ff41de5217b89fb197f5559c137c48d6d84313252cd459f4b12/

Threat name:

ByteCode-MSIL.Infostealer.Stelega

Status:

Malicious

First seen:

2020-10-08 13:09:10 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4af2podf7bh7ihpfef5yt6yzp5kvtqjxysgw3bbrgjjm2rm7jmja._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

36f888cfcc5ca73bed330401ff231b38012baad656797b803d51157ee2252177

AgentTesla

459838dd5e98a4fe8c51d2d0c3c7850319b1a13cb41f568aa0cf6cb0bba6e9ef

AgentTesla

5b48475bbc32e2dbd6ebfb746071c6192e57dfdfcfc0cfb1ae9f381663728537

AgentTesla

66c8e38b2f545edd7660168b8e778c165f200867abb90cd07c2f033ea1ae8405

AgentTesla

7f717f3d6242070c4f59575f510fa366e5cbd6c17ad484c0735fca89e365a351

AgentTesla

818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e

AgentTesla

d8dc17c4b3642e45151c21b7e02f12cda99c8c5ee51549a6f271c3ea1b436c3d

AgentTesla

df2618236af018e94e2c167826edfed81faab5a6c5ace255d84d9f07296a63c7

AgentTesla

eed860fb0b48051582b2f34f20bc47f0fa5cd2273d20df99d339d1058e79113f

AgentTesla

+ 413 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201009-1rq4sl2taj/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

e00ba7b865f84ff41de5217b89fb197f5559c137c48d6d84313252cd459f4b12

MD5 hash:

051d9f44fe304d758ec022a42702f1d1

SHA1 hash:

2e5e6e9c29f6a423bc5edc073043cc88decb09c5

Link:

https://www.unpac.me/results/bc1a3fa9-68ec-47d3-92d7-70787cdcf6cf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e00ba7b865f84ff41de5217b89fb197f5559c137c48d6d84313252cd459f4b12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.